How to Get Cyber Essentials Certified for Your Business
A plain-English guide to the UK's Cyber Essentials scheme — what it is, which level you need, the mistakes that trip businesses up, and how to get from "we should really do this" to certified without the stress.
If you've been told by a customer, an insurer, or a public sector tender that you need "Cyber Essentials," and you've spent ten minutes on the NCSC website since feeling more confused than when you started — you're not alone. It's one of the most common questions we get asked, and the honest answer is that Cyber Essentials is straightforward in principle but easy to get stuck on in practice. This guide walks through what it actually is, which level applies to you, where businesses typically get caught out, and how to get it done without it eating a fortnight of your time.
What is Cyber Essentials, and why does it matter?
Cyber Essentials is a UK Government-backed certification scheme, run by the National Cyber Security Centre (NCSC) and delivered through accredited certification bodies (the largest being IASME). It certifies that your business has five fundamental technical controls in place: boundary firewalls, secure configuration, user access control, malware protection, and security update (patch) management.
It matters for three practical reasons. First, a growing number of contracts — especially public sector and government-linked work — require it as a condition of bidding. Second, many cyber insurance policies now ask whether you hold it, and some offer better premiums or terms if you do (Cyber Essentials certification even includes a year of cyber liability insurance for qualifying UK organisations as part of the fee). Third, and often overlooked: the five controls it checks are genuinely the five things that stop the vast majority of real-world attacks. It's not a box-ticking exercise dressed up as security — it's a sensible baseline that happens to also unlock contracts and insurance benefits.
Which level do you need: Cyber Essentials or Cyber Essentials Plus?
There are two levels, and choosing the right one saves you time and money.
Cyber Essentials (self-assessment)
This is a self-assessment questionnaire covering your IT estate — devices, servers, cloud services, firewalls, and how you manage users and updates. You complete it, a qualified assessor reviews and marks it, and if it passes you're certified. It's the right starting point for almost every business, and it's often the level a customer or tender actually requires unless they've explicitly asked for Plus.
Cyber Essentials Plus (independently verified)
Everything in the base level, plus a hands-on technical audit: an assessor visits (or connects remotely) and actually tests a sample of your devices, checks patch levels, tries to run test malware in a controlled way, and verifies your controls are real rather than just documented. It costs significantly more and takes longer to arrange, but some contracts, insurers, and larger customers specifically require it because it proves the controls are actually in place, not just claimed.
Our rule of thumb: start with standard Cyber Essentials unless a specific customer, tender, or insurer has told you in writing that they require Plus. Most businesses never need to go beyond the base level, and it's far cheaper and quicker to obtain.
What it typically costs
There are two components to the cost — the certification body fee, and the work needed to get ready for it.
- Cyber Essentials (self-assessment) certification fee: IASME's current tiered pricing is roughly £330+VAT for micro businesses (1–9 staff), £400+VAT for small (10–49), £450+VAT for medium (50–249), and £500+VAT for larger organisations. This covers your assessment submission and, for qualifying UK businesses, a year of built-in cyber liability insurance.
- Cyber Essentials Plus certification fee: typically £1,500–£3,000+VAT, on top of the base certification, depending on how many devices/servers need sampling and the assessor you use.
- Getting ready: this is the bit that varies the most, and the bit most businesses underestimate. Add remediation work — patching, firewall reconfiguration, MFA rollout, replacing unsupported devices — plus consultancy time to actually complete the questionnaire correctly, and a typical small business (around 20–30 staff) is realistically looking at £1,800–£3,500 in total first-year cost once you include the certification fee.
The number that surprises people isn't the certification fee — it's the readiness work behind it. Which is exactly where most of the practical difficulty (and most of our support calls) comes from.
Where businesses commonly get caught out
The questionnaire looks like a form. In practice, it's asking precise technical questions about your entire IT estate, and a surprising number of businesses fail their first attempt, or find gaps they didn't know existed, because of a handful of recurring issues:
Windows 11 support across the whole business
Cyber Essentials requires that every device runs an operating system that's still receiving security updates from the manufacturer. Windows 10 reached end of support in October 2025, and any device still running it without an active Extended Security Updates (ESU) subscription is an automatic fail. The catch: not every older PC is eligible for a free upgrade to Windows 11 — it has minimum hardware requirements (TPM 2.0 being the one that trips most businesses up), so a business with a mix of laptop ages often finds a handful of machines simply can't be upgraded and need replacing. This is one of the most common last-minute scrambles we see, and it's worth checking your whole fleet well before you submit, not after.
Firewall configuration
Having a firewall isn't enough — the questionnaire asks about default passwords being changed, unnecessary open ports/services being closed, and rules being reviewed. Many businesses have a firewall that's been running untouched since installation, with default admin credentials still active or rules nobody remembers the reason for. This is a quick fix once identified, but it does need identifying.
Firmware and update management
It's not just Windows and applications that need to be patched — router, firewall, and network switch firmware counts too, and it's the layer businesses are most likely to have neglected because it doesn't nag you with a pop-up the way a laptop does. Assessors specifically ask how firmware updates are tracked and applied; "we've never really looked at it" is a common, and avoidable, gap.
Other frequent gaps
- BYOD (personal phones/laptops) accessing company email or files without being included in the scope or properly secured.
- Admin accounts being used for day-to-day work rather than a separate, tightly controlled account.
- Cloud services (Microsoft 365, Google Workspace) without MFA enforced on every account.
- Not knowing the exact scope of "in-scope" devices — old laptops in a cupboard, a forgotten server, a remote worker's home router — all of which the assessment technically covers.
How Aspire IT can help you get there
This is genuinely the part we enjoy, because it's a problem with a clear, achievable fix — you just need someone who's done it before to guide you through it rather than staring at a 70-odd question form on your own.
Here's what that looks like in practice:
- An onsite tech readiness review. Before you touch the questionnaire, we come to your premises and audit your actual estate against the five Cyber Essentials control areas — devices, firewalls, firmware, patching, user access, and MFA coverage. You get a clear list of what's already fine and what needs fixing before you apply, so there are no surprises partway through the assessment.
- Hands-on help completing the questionnaire. We sit with you (or do it on your behalf, with your input) and work through the assessment itself, translating the technical questions into plain terms and making sure the answers accurately reflect your setup — which matters, because an inaccurate answer can fail you even if your actual security is fine.
- Remediation support. Where the readiness review turns up gaps — unsupported devices, firewall tidy-up, firmware updates, MFA rollout — we can do the work directly, so you go into the assessment already compliant rather than hoping it passes.
- Ongoing consultancy if you're going for Cyber Essentials Plus, or if you want the certification maintained and re-verified each year without it becoming a recurring headache.
If you're already one of our IT Support clients: check your package, because for a number of our support customers, Cyber Essentials consultancy is already included as part of their ongoing IT Support agreement at no extra cost. It's worth a quick call to confirm rather than assuming you'd be paying for it separately.
A simple way to get started
If Cyber Essentials has been on your to-do list for a while, the realistic first step isn't the questionnaire — it's an honest look at where your IT estate currently stands. That's exactly what our onsite readiness review is for: we tell you what's already good, what needs fixing, roughly what it'll cost, and how long it'll realistically take, before you commit to anything. Most businesses find it's far more achievable than they expected once someone's mapped out the actual gaps.
Let's talk it through
Whether you need Cyber Essentials for a specific contract, an insurer, or just because it's good practice, we can help at whichever stage you're at — from a first readiness check through to filling in the questionnaire and fixing what needs fixing. Get in touch and we'll give you a straight answer on what's involved and what it'll cost for your business.
Published: 9th July 2026
Darren Fletcher
Operations Director (IT) @ Aspire. 30+ years building IT solutions for UK businesses. Happy to help you find a setup that fits.